Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SSO/OpenID: Use a mobile-redirect route (Fixes #2379 and #2381) #2386

Merged
merged 6 commits into from
Dec 7, 2023
Merged

SSO/OpenID: Use a mobile-redirect route (Fixes #2379 and #2381) #2386

merged 6 commits into from
Dec 7, 2023

Conversation

Sapd
Copy link
Contributor

@Sapd Sapd commented Dec 4, 2023
edited
Loading

This PR modifies the oauth flow to always provide a https callback (which on mobile the ABS server will redirect to the app link). Also it will enable 3rd party app support as different app-callback urls are possible.

  • Implement /auth/openid/mobile-redirect this will redirect to an app-link like audiobookshelf://oauth
  • An app must provide an redirect_uri parameter with the app-link in the authorization request to /auth/openid
  • The user will have to whitelist possible URLs, or explicitly allow all
  • Also modified MultiSelect to allow to hide the menu/popup

The user needs to allow redirect-uris for mobile applications in the ABS settings, because they are now hidden from the SSO provider.
I set as default audiobookshelf://oauth, the user can also add multiple others, or just provide an asterisk allowing all URLs (or even delete the default). This way we can easily support 3rd-party apps.

In the SSO Provider, as valid redirect_uris the user now has to set:

https://absurl/auth/openid/callback
https://absurl/auth/openid/mobile-redirect

or if his auth providers supports wildcards, simply:

https://absurl/auth/openid/*

I also thought about adding a another route after the auth-request where the user is not directly forwarded to the auth provider, but to an ABS page, where ABS explains that an App wants to login. Similar to the idea suggested in #2381
However Im not sure if it would make sense, because usually the user knows in which App he is... and it does not increase security because the App name provided can simply be faked.
But if we want to do it for some reason anyways, it is possible on top of this PR.

Still a (third party) app can - and maybe should - provide a client_id in the first request with the Apps name which we could use later (possibly for logging, statistics, user sessions list etc.). I also provided it in the mobile PR.
Also the mobile app (or 3rd party app developers) now need to provide their redirect url as app-link in the auth request to /auth/openid/auth
While everything is standard oauth2, I will probably provide some guidelines in the API docs of how a 3rd party app dev can use the oauth endpoints.

Required Mobile app change: advplyr/audiobookshelf-app#969

Sapd and others added 6 commits December 4, 2023 22:36
@Sapd
SSO/OpenID: Use a mobile-redirect route (Fixes advplyr#2379 and advpl…
80fd2a1 
…yr#2381)

- Implement /auth/openid/mobile-redirect this will redirect to an app-link like audiobookshelf://oauth
- An app must provide an `redirect_uri` parameter with the app-link in the authorization request to /auth/openid
- The user will have to whitelist possible URLs, or explicitly allow all
- Also modified MultiSelect to allow to hide the menu/popup
@Sapd
SSO/OpenID: Remove modifying redirect_uri in the callback
e6ab283 
The redirect URI will be now correctly set to either /callback or /mobile-redirect in the /auth/openid route
@Sapd
SSO/OpenID: Also fix possible race condition
cf00650 
- We need to define redirect_uri in the callback again, because the global params of passport can change between calls to the first route (ie. if multiple users log in at same time)
- Removed is_rest parameter as requirement for mobile flow (to maximise compatibility with possible oauth libraries)
- Also renamed some variables for clarity
@advplyr
Update auth settings endpoint to return updated flag and show whether…
341a045 
… updates were made in client toast
@advplyr
Merge branch 'master' into sso-redirecturi
8f4c65e
@advplyr
Map new translations to other files
98104a3
@advplyr
Copy link
Owner

advplyr commented Dec 7, 2023

I also thought about adding a another route after the auth-request where the user is not directly forwarded to the auth provider, but to an ABS page, where ABS explains that an App wants to login. Similar to the idea suggested in #2381
However Im not sure if it would make sense, because usually the user knows in which App he is... and it does not increase security because the App name provided can simply be faked.
But if we want to do it for some reason anyways, it is possible on top of this PR.

I understand why Github would do this but it seems unnecessary for Abs. We could do it in the future if it turns out to be valuable.

This PR is working great as-is. Thanks!

@advplyr advplyr merged commit b8c8d2a into advplyr:master Dec 7, 2023
1 check passed
mark-monteiro added a commit to mark-monteiro/audiobookshelf-web that referenced this pull request Jan 2, 2024
@mark-monteiro
Add mobile redirect URI to OIDC guide
ffbd80d 
This additional URL is required for OIDC authentication in the mobile app. It was added in advplyr/audiobookshelf#2386
@mark-monteiro mark-monteiro mentioned this pull request Jan 2, 2024
Closed
mark-monteiro added a commit to mark-monteiro/audiobookshelf-web that referenced this pull request Jan 2, 2024
@mark-monteiro
Update OIDC mobile redirect URI
b0fec3a 
This was changed in advplyr/audiobookshelf#2386
@mark-monteiro mark-monteiro mentioned this pull request Jan 2, 2024
Merged
@skyzuma skyzuma mentioned this pull request May 4, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@Sapd @advplyr